forked from djhaynes/inspec-profile-disa_stig-el7
-
Notifications
You must be signed in to change notification settings - Fork 0
/
attributes.dev.yml
163 lines (132 loc) · 4.28 KB
/
attributes.dev.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#This file specifies the attributes for the configurable controls
#used in the RHEL 7 DISA STIG.
# The control should find the two defaults automatically
# if you are using a different default path for the boot conf - set it here
#grub_conf_path: '/boot/grub2/grub.cfg'
#Controls that are known to consistently have long run times can be
#disabled using the DISABLE_SLOW_CONTROLS attribute.
disable_slow_controls: false
# V-72081 - 'monitor_kernel_log', (bool)
#'Set this to false if your system availability concern is not documented or
#there is no monitoring of the kernel log',
monitor_kernel_log: true
#V-71859.rb (already set to true)
banner_message_enabled: 'true'
# V-72211 (default: false)
log_aggregation_server: false
# V-72213 ( default: true )
# This may only be disabled by exception and will be required to be enabled
# for full accredidation
enable_av: true
# V-72047 ( default: [] )
# 'Known application groups that are allowed to have world-writeable files or directories'
application_groups: []
# V-72307
x11_enabled: false
# 'Accounts that are not allowed on the system (Array)'
disallowed_accounts: [
'games',
'gopher',
'ftp',
]
# description: 'accounts of known managed users (Array)
user_accounts: []
# System accounts that support approved system activities. (Array)
known_system_accounts:
[
'root',
'bin',
'daemon',
'adm',
'lp',
'sync',
'shutdown',
'halt',
'mail',
'operator',
'nobody',
'systemd-bus-proxy',
'systemd-network',
'dbus',
'docker', # account used by the docker daemon
'polkitd',
'tss', # Account used by the trousers package to sandbox the tcsd daemon
'postfix', # Service Account for Postfix Mail Daemon
'chrony', # Service Account for the Chrony Time Service
'sshd', # Service Account for SSH
'ec2-user', # Service Account for EC2 Access in AWS
'sssd', # Service Account for the SSSH Authentication service
'rpc', # Service Account RPCBind Daemon
'unbound', # Service Account UnBound Daemon
'ntp', # Service Account for NTPD Daemon
'vboxadd', # known Virtualbox user
'nfsnobody', # service account for nsfd
'vagrant', # known service account for vagrant / Virtualbox
'nginx', # known service account for nginx web-server
'rpcuser', # known centos system account for nsf
'apache', # known apache system account
'mysql', # known mysql system account
]
#V-71861.rb
#banner_message_text_gui:
#V-71863.rb
#banner_message_text_cli:
#V-72225.rb
#banner_message_text_ral:
#V-71911.rb
#DIFOK (minimum number of characters that must be different from
#previous password)
difok: 1
#V-71933.rb
#MIN_REUSE_GENERATIONS (number of reuse generations)
min_reuse_generations: 24
#V-71935.rb
#MIN_LEN (number of characters)
min_len: 8
#V-71941.rb
#DAYS_OF_INACTIVITY (number of days)
days_of_inactivity: 90
#V-71943.rb
#UNSUCCESSFUL_ATTEMPTS (number of unsuccessful attempts)
#FAIL_INTERVAL (time in seconds)
#LOCKOUT_TIME (time in seconds)
unsuccessful_attempts: 3
fail_interval: 900
lockout_time: 1800
#V-71945.rb
#UNSUCCESSFUL_ATTEMPTS_ROOT (number of unsuccessful attempts)
#FAIL_INTERVAL_ROOT (time in seconds)
#LOCKOUT_TIME_ROOT (time in seconds)
unsuccessfully_attempts_root: 3
fail_interval_root: 900
lockout_time_root: 1800
#V-71973.rb
#FILE_INTEGRITY_TOOL (name of tool)
#FILE_INTEGRITY_INTERVAL (monthly, weekly, or daily)
file_integrity_tool: aide
file_integrity_interval: monthly
#V-72223.rb
#SYSTEM_INACTIVITY_TIMEOUT (time in seconds)
system_inactivity_timeout: 600
#V-72237.rb
#CLIENT_ALIVE_INTERVAL (time in seconds)
client_alive_interval: 600
# V-71965.rb values: (enabled or disabled)
smart_card_status: 'enabled'
# V-72011.rb
#EXEMPT_HOME_USERS (list of users exempt from needing a home drive in array format)
exempt_home_users: []
##control "V-71961
#description: 'main grub boot config file'"
grub_main_cfg: '/boot/grub2/grub.cfg'
#description: 'superusers for grub boot ( array )'
grub_superusers: ['root']
#description: 'grub boot config files'
grub_user_boot_files: ['/boot/grub2/user.cfg']
##control "V-71963"
#description: 'superusers for efi boot ( array )'
efi_superusers: ['root']
#description: 'efi boot config files'
efi_user_boot_files: ['/boot/efi/EFI/redhat/user.cfg']
#description: 'main efi boot config file'
efi_main_cfg: '/boot/efi/EFI/redhat/grub.cfg'